...
|
...
|
@@ -1577,7 +1577,8 @@ static int load_oneldb(char *buffer, int chkpua, struct cl_engine *engine, unsig
|
1577
|
1577
|
#if !HAVE_PCRE
|
1578
|
1578
|
/* Regex Usage and Support Check */
|
1579
|
1579
|
for (i = 0; i < subsigs; ++i) {
|
1580
|
|
- if (strchr(tokens[i+3], '/')) {
|
|
1580
|
+ char *slash = strchr(tokens[i+3], '/');
|
|
1581
|
+ if (slash && strchr(slash+1, '/')) {
|
1581
|
1582
|
cli_warnmsg("cli_loadldb: logical signature for %s uses PCREs but support is disabled, skipping\n", virname);
|
1582
|
1583
|
(*sigs)--;
|
1583
|
1584
|
return CL_SUCCESS;
|
...
|
...
|
@@ -3174,6 +3175,12 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op
|
3174
|
3174
|
*skip = 1;
|
3175
|
3175
|
return CL_SUCCESS;
|
3176
|
3176
|
}
|
|
3177
|
+
|
|
3178
|
+ if(engine->cb_sigload && engine->cb_sigload("yara", virname, ~options & CL_DB_OFFICIAL, engine->cb_sigload_ctx)) {
|
|
3179
|
+ cli_dbgmsg("cli_loadyara: skipping %s due to callback\n", virname);
|
|
3180
|
+ (*sigs)--;
|
|
3181
|
+ return CL_SUCCESS;
|
|
3182
|
+ }
|
3177
|
3183
|
*/
|
3178
|
3184
|
|
3179
|
3185
|
/*** rule specific checks ***/
|
...
|
...
|
@@ -3264,6 +3271,7 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op
|
3264
|
3264
|
free(substr);
|
3265
|
3265
|
} else if (STRING_IS_REGEXP(string)) {
|
3266
|
3266
|
/* TODO - rewrite to NOT use PCRE_BYPASS */
|
|
3267
|
+#if HAVE_PCRE
|
3267
|
3268
|
size_t length = strlen(PCRE_BYPASS) + string->length + 3;
|
3268
|
3269
|
|
3269
|
3270
|
substr = cli_calloc(length, sizeof(char));
|
...
|
...
|
@@ -3280,6 +3288,12 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op
|
3280
|
3280
|
|
3281
|
3281
|
ytable_add_string(&ytable, substr);
|
3282
|
3282
|
free(substr);
|
|
3283
|
+#else
|
|
3284
|
+ cli_warnmsg("cli_loadyara: %s uses PCREs but support is disabled\n", rule->identifier);
|
|
3285
|
+ str_error++;
|
|
3286
|
+ ret = CL_SUCCESS;
|
|
3287
|
+ break;
|
|
3288
|
+#endif
|
3283
|
3289
|
} else {
|
3284
|
3290
|
/* TODO - extract the string length to handle NULL hex-escaped characters
|
3285
|
3291
|
* For now, we'll just use the strlen we get which crudely finds the length
|
...
|
...
|
@@ -3578,7 +3592,6 @@ static int cli_loadyara(FILE *fs, struct cl_engine *engine, unsigned int *signo,
|
3578
|
3578
|
if (rc > 0) { /* rc = number of errors */
|
3579
|
3579
|
/* TODO - handle the various errors? */
|
3580
|
3580
|
cli_errmsg("cli_loadyara: failed to parse rules file %s, error count %i\n", dbname, rc);
|
3581
|
|
-#ifdef YARA_FINISHED
|
3582
|
3581
|
yr_hash_table_destroy(compiler.rules_table, NULL);
|
3583
|
3582
|
yr_hash_table_destroy(compiler.objects_table, NULL);
|
3584
|
3583
|
yr_arena_destroy(compiler.sz_arena);
|
...
|
...
|
@@ -3586,7 +3599,10 @@ static int cli_loadyara(FILE *fs, struct cl_engine *engine, unsigned int *signo,
|
3586
|
3586
|
yr_arena_destroy(compiler.code_arena);
|
3587
|
3587
|
yr_arena_destroy(compiler.strings_arena);
|
3588
|
3588
|
yr_arena_destroy(compiler.metas_arena);
|
|
3589
|
+#ifdef YARA_FINISHED
|
3589
|
3590
|
return CL_EMALFDB;
|
|
3591
|
+#else
|
|
3592
|
+ return CL_SUCCESS;
|
3590
|
3593
|
#endif
|
3591
|
3594
|
}
|
3592
|
3595
|
|
...
|
...
|
@@ -3601,9 +3617,7 @@ static int cli_loadyara(FILE *fs, struct cl_engine *engine, unsigned int *signo,
|
3601
|
3601
|
rc = load_oneyara(rule, engine, options, &sigs);
|
3602
|
3602
|
if (rc != CL_SUCCESS) {
|
3603
|
3603
|
cli_warnmsg("cli_loadyara: problem parsing yara file %s, yara rule %s\n", dbname, rule->identifier);
|
3604
|
|
-#ifdef YARA_FINISHED
|
3605
|
3604
|
break;
|
3606
|
|
-#endif
|
3607
|
3605
|
}
|
3608
|
3606
|
}
|
3609
|
3607
|
|
...
|
...
|
@@ -3615,18 +3629,15 @@ static int cli_loadyara(FILE *fs, struct cl_engine *engine, unsigned int *signo,
|
3615
|
3615
|
yr_arena_destroy(compiler.strings_arena);
|
3616
|
3616
|
yr_arena_destroy(compiler.metas_arena);
|
3617
|
3617
|
|
3618
|
|
-#ifdef YARA_FINISHED
|
3619
|
3618
|
if(rc)
|
3620
|
3619
|
return rc;
|
3621
|
3620
|
|
|
3621
|
+#ifdef YARA_FINISHED
|
3622
|
3622
|
if(!rules) {
|
3623
|
3623
|
cli_errmsg("cli_loadyara: empty database file\n");
|
3624
|
3624
|
return CL_EMALFDB;
|
3625
|
3625
|
}
|
3626
|
3626
|
#else
|
3627
|
|
- if(rc)
|
3628
|
|
- return CL_SUCCESS;
|
3629
|
|
-
|
3630
|
3627
|
if(!rules) {
|
3631
|
3628
|
cli_warnmsg("cli_loadyara: empty database file\n");
|
3632
|
3629
|
yara_empty++;
|